US11616847B2 - Leveraging web cookies for carrying messages across cloud application communications - Google Patents
Leveraging web cookies for carrying messages across cloud application communications Download PDFInfo
- Publication number
- US11616847B2 US11616847B2 US16/165,730 US201816165730A US11616847B2 US 11616847 B2 US11616847 B2 US 11616847B2 US 201816165730 A US201816165730 A US 201816165730A US 11616847 B2 US11616847 B2 US 11616847B2
- Authority
- US
- United States
- Prior art keywords
- application
- response
- cookie
- request
- end component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
- 235000014510 cooky Nutrition 0.000 title claims abstract description 97
- 230000006854 communication Effects 0.000 title abstract description 18
- 238000004891 communication Methods 0.000 title abstract description 17
- 230000004044 response Effects 0.000 claims abstract description 111
- 230000009471 action Effects 0.000 claims description 29
- 238000000034 method Methods 0.000 claims description 22
- 238000012546 transfer Methods 0.000 claims description 8
- 230000003287 optical effect Effects 0.000 description 11
- 238000004590 computer program Methods 0.000 description 9
- 230000008520 organization Effects 0.000 description 9
- 230000003993 interaction Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 5
- 238000013459 approach Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 238000012544 monitoring process Methods 0.000 description 4
- 239000000463 material Substances 0.000 description 3
- 230000002411 adverse Effects 0.000 description 2
- 230000000903 blocking effect Effects 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000008569 process Effects 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 239000004984 smart glass Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/142—Managing session states for stateless protocols; Signalling session states; State transitions; Keeping-state mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/564—Enhancement of application control based on intercepted application data
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Definitions
- This threefold endeavor serves as the cornerstone of user access management and impacts user activity across all environments, from public and private clouds to virtual networks and on-premise servers. Due to this far reaching impact, one approach to user access management for an organization may be to implement automated session control protocols that can limit or restrict what exactly a user can access across web or mobile applications and other enterprise systems depending on various login factors.
- a cloud access security broker which is a proxy that sits between cloud applications and users of cloud applications, monitoring interactions between the two sides and enforcing security policies during these interactions.
- a CASB may be able to intercept a user request and, based on a series of access control protocols, determine what the user can access and interact with in regards to the client's resources.
- a CASB can collect important information about the user traffic within the client's computing ecosystem, which provides valuable insights for detecting, diagnosing, and remedying possible security breaches.
- a company may grant access to a set of users to upload customer account information to a particular document management system within the organization's virtual network. Additionally, the company may posit, as a customer privacy measure, that no social security information is to be included within that uploaded data. At the same time, the company may want another group of users to be permitted to view this customer information but not be permitted to download any of this specific content to their devices. Conjointly, the company may desire reporting functionality that can detect odd access patterns for the two user groups described above.
- a conventional proxying environment may fail to communicate the reasons to the users for the blockage, possibly leaving users oblivious to the blockage and the reasons thereof, especially during technical ‘incursions’ like traffic blocks.
- a conventional proxying environment could use a complex multi-channel communication scheme that may adversely impact the resources and efficiency of a computing ecosystem.
- Embodiments described herein are directed to leveraging web cookies to carry messages across cloud application communications, wherein the messages are between entities that are not part of the cloud application itself.
- a proxy server is interconnected between a client computer that is executing a front-end component of an application and an application server that is executing a back-end component of the application.
- the proxy server intercepts a request from the front-end component that is intended for the back-end component and generates a response thereto that includes a command to create a web cookie at the client computer, wherein the web cookie includes data to be utilized by a custom code component of the client computer.
- the proxy server may further cause the custom code component to be injected into the front-end component of the application for execution by the client computer.
- FIG. 1 is a block diagram of an example system that enables redirection of requests for a cloud application from the cloud application to a proxy access service, in accordance with an embodiment.
- FIG. 2 is a block diagram of an example system that enables generating, at a proxy server interconnected between a client computer and an application server, a response to an intercepted request that includes a command to create a web cookie at the client computer and where the web cookie includes data intended for utilization at the client computer, in accordance with an embodiment.
- FIG. 3 depicts a flowchart of a method for generating, at a proxy server interconnected between a client computer and an application server, a response to an intercepted request that includes a command to create a web cookie at the client computer and where the web cookie includes data to be utilized by a custom code component of the client computer, in accordance with an embodiment.
- FIG. 4 depicts a flowchart of various methods of generating a response to a request that includes a command to create a cookie at a client computer, where the cookie includes data to be utilized by a custom code component, in accordance with an example embodiment.
- FIG. 5 depicts a flowchart a method performed at a client computer for injecting a custom code component into a front-end component of an application, creating a web cookie on the client computer, and utilizing the data included in the web cookie at the client computer, in accordance with an embodiment.
- FIG. 6 depicts an example display of a web browser including a web page of a target application, in accordance with an embodiment.
- FIG. 7 is a block diagram of an example computing device that may be used to implement embodiments.
- references in the specification to “one embodiment,” “an embodiment,” “an example embodiment,” etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. Moreover, such phrases are not necessarily referring to the same embodiment. Further, when a particular feature, structure, or characteristic is described in connection with an embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
- This threefold endeavor serves as the cornerstone of user access management and impacts user activity across all environments, from public and private clouds to virtual networks and on-premise servers. Due to this far reaching impact, one approach to user access management for an organization may be to implement automated session control protocols that can limit or restrict what exactly a user can access across web or mobile applications and other enterprise systems.
- a cloud access security broker which is a proxy that sits between cloud applications and users of cloud applications, monitoring interactions between the two sides and enforcing security policies during these interactions.
- a CASB may be able to intercept a user request and, based on a series of access control protocols, determine what the user can access and interact with in regards to the client's resources.
- a CASB can collect important information about the user traffic within the client's computing ecosystem, which provides valuable insights for detecting, diagnosing, and remedying possible security breaches.
- a company may grant access to a set of users to upload customer account information to a particular document management system within the organization's virtual network. Additionally, the company may posit, as a customer privacy measure, that no social security information is to be included within that uploaded data. At the same time, the company may want another group of users to be permitted to view this customer information but not be permitted to download any of this specific content to their devices. Conjointly, the company may desire reporting functionality that can detect odd access patterns for the two user groups described above.
- a conventional proxying environment may fail to communicate the reasons to the users for the blockage, possibility leaving users oblivious to the blockage and the reasons thereof, especially during technical ‘incursions’ like traffic blocks.
- a conventional proxying environment could use a complex multi-channel communication scheme that may adversely impact the resources and efficiency of a computing ecosystem.
- Embodiments described herein bestow improvements to this unique technology that optimize visibility and control without reducing productivity or risking application failure.
- Embodiments described herein provide for a nimble communication process by injecting or modifying Hypertext Transfer Protocol (HTTP) headers of regular application responses for messaging across cloud application communications with minimal intervention in client-side/cloud-based application communication traffic and with minimal impact on the client-side application.
- HTTP Hypertext Transfer Protocol
- an HTTP header may be modified to include a “set cookie” command that cause a web cookie to be created on the client that includes desired messaging or other information that can then be accessed by custom code running at the client.
- a service worker may be employed at the client to obtain relevant values from a custom HTTP header.
- FIG. 1 is a block diagram of an example system 100 that enables redirection of requests for a cloud application from the cloud application to a proxy access service while a user's proxy session is active.
- system 100 includes a cloud services network 102 and a client computer 112 .
- cloud services network 102 includes an application server 104 , a resource endpoint 106 , an identity provider 108 , and a proxy access service 110
- client computer 112 includes a web browser 114 .
- cloud services network 102 hosts an application in which resources associated with the application are stored on application server 104 .
- the application may be of any type of web accessible application/service, such as a database application, a social networking application, a messaging application, a financial services application, a news application, a search application, a web-accessible productivity application, a cloud storage and/file hosting application, or the like.
- cloud services network 102 of FIG. 1 is shown to host one application, it is to be understood that the techniques described herein may apply to cloud services networks that host more than one application.
- Application server 104 may include one or more server devices and/or other computing devices.
- Resource endpoint 106 may serve as a login endpoint for a resource of a cloud application and indicate where the resource can be accessed by a client device on application server 104 .
- Identity provider 108 may create, maintain, and manage identity information associated with users while providing authentication services to relying cloud applications and/or services, and proxy access service 110 may monitor and manage interactions between cloud applications and users of these cloud applications.
- Web browser 114 executing on client computer 112 may enable interactions between a user of client computer 112 and cloud applications.
- Each component of cloud services network 102 and client computer 112 may be communicatively connected via one or more networks (not pictured in FIG. 1 ).
- These one or more networks may include, for example, a local area network (LAN), a wide area network (WAN), a personal area network (PAN), and/or a combination of communication networks, such as the Internet.
- LAN local area network
- WAN wide area network
- PAN personal area network
- Client computer 112 may be any type of stationary or mobile computing device, including a mobile computer or mobile computing device (e.g., a smart phone, a laptop computer, a notebook computer, a tablet computer such as an Apple iPadTM, a netbook, etc.), a wearable computing device (e.g., a smart watch, a head-mounted device including smart glasses such as Google® GlassTM, etc.), or a stationary computing device such as a desktop computer or PC (personal computer).
- a mobile computer or mobile computing device e.g., a smart phone, a laptop computer, a notebook computer, a tablet computer such as an Apple iPadTM, a netbook, etc.
- a wearable computing device e.g., a smart watch, a head-mounted device including smart glasses such as Google® GlassTM, etc.
- a stationary computing device such as a desktop computer or PC (personal computer).
- resource endpoint 106 may receive a request 120 from client computer 112 originating in web browser 114 (e.g., by issuing a Uniform Resource Locator (URL) of the application in web browser 114 ).
- request 120 is a request for access to the resource (e.g., web pages, e-mail information from databases, or web services) of the application on behalf of a user of client computer 112 .
- resource endpoint 106 may determine that the user has not yet been authenticated and may therefore provide a response 122 to web browser 114 that causes browser 114 to send a request 124 to identity provider 108 for user authentication. For instance, resource endpoint 106 may redirect web browser 114 to identity provider 108 in response to determining that a token, which enables resource endpoint 106 to determine whether the user should be granted access to the resource, was not provided with request 120 .
- identity provider 108 may determine based on an access policy whether web browser 114 should access the resource via proxy access service 110 .
- An access policy may outline which users or groups of users' and what applications' network cloud traffic should be routed to proxy access service 110 for monitoring and/or managing.
- an information technology (IT) administrator for an organization may set access policies for applications and users of client devices that access a computer network of the organization (e.g., contract employees of the organization).
- identity provider 108 may evaluate a user's login (e.g., username and password) to determine if there is a policy associated with that user and establish that a particular user is a contract employee based on the contract employee's username including an indicator of her employment status.
- Identity provider 108 may further authenticate the user associated with request 124 and create a token that can be used to determine whether the user should be granted access to the resource. In some embodiments, during authentication, a user may be prompted by identity provider 108 to provide his or her user login credentials. After determining that web browser 114 should access the resource via proxy access service 110 , identity provider 108 may send a response 126 to web browser 114 that includes an encrypted version of the token and that redirects web browser 114 to send a request 128 to proxy access service 110 that includes such encrypted token.
- proxy access service 110 may decrypt the token and then generate a corresponding request 130 that includes the decrypted token and provide it to resource endpoint 106 .
- Resource endpoint 106 may grant or deny access to the resource located on application server 104 based on the token. If access is granted, application server 104 may interpret request 130 , generate a response 132 to request 130 , and issue response 132 to proxy access service 110 .
- response 132 may include a file stored on application server 104 or an output from executing a program kept on application server 104 . In other embodiments, response 132 may include an error message if the request could not be fulfilled.
- proxy access service 110 may generate a response 134 and send it to web browser 114 .
- web browser 114 may interpret response 134 and display contents of response 134 on a window of web browser 114 for the user of client computer 112 .
- Response 134 may be the same as response 132 or augmented by proxy access service 110 based on control policies (discussed in greater detail in reference to FIG. 4 ).
- Any further requests related to accessing the resource of application server 104 a and originating in web browser 114 during the user's proxy session may be directed to proxy access service 110 , and any responses generated by proxy access service 110 to the further requests may be issued to web browser 114 by proxy access service 110 on behalf of resource endpoint 106 .
- a suffix proxy may be implemented in system 100 to keep the user within the session.
- Suffix proxies permit the user to access resources by including the name of a proxy server to the requested resource URL.
- relevant URLs for the application hosted in cloud services network 102 may be replaced with unique URLs.
- the link to the webpage may appear as: targetapplication.com.proxyserver.
- FIG. 2 is a block diagram of an example system 200 that enables generating, at a proxy server interconnected between a client computer and an application server, a response to an intercepted request that includes a command to create a web cookie at the client computer and where the web cookie includes data intended for utilization at the client computer.
- system 200 includes: a proxy server 210 , client computer 112 , and application server 104 , the last two being described in FIG. 1 .
- proxy server 210 includes proxy access service 110 , as described in FIG. 1 , and a proxy server storage 214 , which stores a control policy 216 . Additionally depicted in FIG.
- client computer 112 includes: 1) web browser 114 (as described in FIG. 1 and further comprising an application front-end component 202 and a custom code component 204 ) and 2) a web storage browser 206 , which stores a web cookie 208 .
- application server 104 includes an application back-end component 212 .
- Proxy server 210 may be communicatively interconnected between client computer 112 and application server 104 via one or more networks (not pictured in FIG. 2 ). These one or more networks may include, for example, a local area network (LAN), a wide area network (WAN), a personal area network (PAN), and/or a combination of communication networks, such as the Internet. Proxy server 210 may establish itself as an intermediary for client computer 112 and application server 104 using the process described in FIG. 1 for establishing a redirection of requests made by a client computer for an application to a proxy server. Proxy server 210 may also comprise one or more server devices and/or other computing devices.
- LAN local area network
- WAN wide area network
- PAN personal area network
- Proxy server 210 may establish itself as an intermediary for client computer 112 and application server 104 using the process described in FIG. 1 for establishing a redirection of requests made by a client computer for an application to a proxy server.
- Proxy server 210 may also comprise one or
- Application front-end component 202 and application back-end component 212 are example components of the cloud application hosted in cloud services network 102 described in FIG. 1 . As shown in FIG. 2 , application front-end component 202 may be represented as a web page displayed in web browser 114 . In other embodiments, application front-end component 202 may also be an Internet-enabled application executing on client computer 112 . Still other implementations of application front-end component 202 are possible.
- Proxy access service 110 running on proxy server 210 may be configured to intercept a request from application front-end component 202 that is intended for application back-end component 212 . Proxy access service 110 may be further configured to generate a response to the intercepted request that includes a command to create a web cookie at a client computer 112 .
- the web cookie may include data intended for utilization at client computer 112 .
- proxy access service 110 may generate a response 218 RS that includes a command to create a web cookie, and return response 218 RS to web browser 114 .
- web browser 114 may execute the command, create web cookie 208 and store web cookie 208 in web browser storage 206 .
- the data included in web cookie 208 could be utilized by components of client computer 112 in several ways.
- the data may include a notification for displaying in a window of web browser 114 for the user of client computer 112 .
- the data may include code for closing web browser 114 to terminate a session between a user and an application.
- proxy access service 110 may return response 218 RS to web browser 114 that comprises an HTTP response in response to receiving request 218 RQ.
- proxy access service 110 may provide the command to create a web cookie at client computer 112 by including in response 218 RS a Set-Cookie HTTP response header. This header from a server instructs a client computer to store a cookie at the client computer.
- a web cookie is data connected to a client-side context that is useful to a server.
- web cookies are mainly used for session management (e.g., logins, shopping carts, game scores, etc.), personalization (e.g., user preferences, themes, other settings), and tracking of user behavior.
- a web cookie is usually stored by a web browser and returned to a server in requests, where the data of the web cookie is utilized at the server.
- web cookie 208 includes data to be utilized by components of the client computer.
- proxy access service 110 may inject or modify an HTTP header of 218 RS in some other manner than that described above (“Set-Cookie”) to cause messaging or other desired information to be carried to client computer 112 where it can be obtained by custom code executing thereon.
- Set-Cookie a service worker may be employed at client computer 112 to obtain relevant values from a custom HTTP header.
- FIG. 3 depicts a flowchart 300 of a method for generating, at a proxy server interconnected between a client computer and an application server, a response to an intercepted request that includes a command to create a web cookie at the client computer, wherein the web cookie includes data to be utilized by a custom code component of the client computer, according to an example embodiment.
- FIG. 3 will be described with continued reference to FIG. 2 .
- FIG. 2 depicts other structural and operational embodiments will be apparent to persons skilled in the relevant art(s) based on the following discussion regarding flowchart 300 .
- a custom code component is caused to be injected into the front-end component of the application.
- proxy access service 110 may cause custom code component 204 to be injected into application front-end component 202 by including custom code component 204 in response 218 RS.
- web browser 114 issues request 218 RQ for a web page of application front-end component 202 .
- Proxy access service 110 may then issue request 220 RQ to obtain the web page from application server 104 .
- proxy access service 110 may append code (e.g., JavaScript) to the web page and provide it web browser 114 via response 218 RS.
- code e.g., JavaScript
- response 218 RS is received and interpreted by web browser 114
- the web page of application front-end component 202 containing the code is displayed and custom code component 204 is executing in web browser 114 .
- custom code component 204 may periodically check web browser storage 206 to determine if a new cookie has been received and when a new cookie is detected, utilize the data that is included in the new cookie.
- proxy access service 110 is configured to append code to the web page in response to determining that a main web page of the application is being loaded.
- proxy server 210 By providing the code to web browser 114 by “piggybacking off” of an already-occurring request/response for a resource, proxy server 210 will not have to find another communication channel for transferring code and can transfer it in a manner with minimal intrusion on network cloud traffic and the system itself.
- a request, sent from the front-end component of the application to the back-end component of the application is intercepted.
- proxy access service 110 intercepts request 218 RQ sent from application front-end component 202 to application back-end component 212 .
- an identity provider relied upon by the application for identity provider services, may have determined based on an access policy that request 218 RQ should be redirected to proxy access service 110 .
- the identity provider may identity an access policy associated with a user of client computer 112 and/or the application. As such, any requests sent from application front-end component 202 to application back-end component 212 will be redirected to proxy access service 110 during the user's active proxy session.
- a response to the request is generated that includes a command to create a cookie at the client computer, where the cookie includes data to be utilized by the custom code component.
- proxy access service 110 may generate a response 218 RS including a command to create a web cookie at client device 112 and return response 218 RS to web browser 114 .
- web browser 114 may execute the command, thereby creating web cookie 208 and storing web cookie 208 in web browser storage 206 .
- the data included in web cookie 208 may be utilized by custom code component 204 of client computer 112 in various manners based on the type of data included in web cookie 208 .
- the data included in web cookie 208 may comprise a message concerning an action that was blocked by proxy access service 110 (e.g., downloading a resource with customer credit card numbers) and custom code component 204 may utilize such data to superimpose a warning message across the display of the web page associated with the application requesting the download.
- the data included in web cookie 208 and consumed by custom code component 204 may comprise one or more of: information to be displayed by custom code component 204 (e.g., such as a messages, notifications, and/or warnings to be displayed in a window of a web browser); actions to be performed by custom code component 204 (e.g., increasing a frequency at which to check for new web cookies, downloading additional web content from a different location, etc.); instructions to be executed by the custom code component (e.g., actual code to be executed by custom code component 204 ).
- information to be displayed by custom code component 204 e.g., such as a messages, notifications, and/or warnings to be displayed in a window of a web browser
- actions to be performed by custom code component 204 e.g., increasing a frequency at which to check for new web cookies, downloading additional web content from a different location, etc.
- instructions to be executed by the custom code component e.g., actual code to be executed by custom code component 204 ).
- FIG. 4 depicts a flowchart 400 of various methods of performing step 306 of flowchart 300 of FIG. 3 .
- a response to the request is generated that includes a command to create a cookie at the client computer, where the cookie includes data to be utilized by the custom code component.
- proxy access service 110 may generate a response 218 RS in response to receiving and interpreting request 218 RQ and return it to application front-end component 202 . Based on its interpretation, proxy access service 110 may determine that request 218 RQ comprised an action that should be blocked and may generate response 218 RS itself based on this determination.
- proxy access service 110 may prevent the upload by not even forwarding the request to application back-end component 212 and generating response 218 RS itself and returning it to application front-end component 202 , wherein response 218 RS includes a command to create a web cookie that includes a notification indicating as to why the user's action was blocked such as: “The sharing of security-sensitive company material externally is strictly prohibited.”
- a security administrator for an organization may develop the content of a notification associated with a blocked action.
- a response received from the application back-end component is modified.
- proxy access service 110 may modify response 220 RS received from application back-end component 212 before sending the response to application front-end component 202 .
- application back-end component 202 issues request 218 RQ concerning a resource download and proxy access service 110 determines that the resource download should be blocked. Instead of blocking the action here by not forwarding it to application back-end component 212 , proxy access service 110 may issue corresponding request 220 RQ, requesting application back-end component 212 to fulfill the request.
- proxy access service 110 may modify response 220 RS by replacing the resource meant for download with a “fake” file. Proxy access service 110 may then generate response 218 RS, including the fake file and a command to generate a web cookie that includes a message indicating why the download was blocked. This gives proxy access service 110 the flexibility in not having to understand the response and prevents disturbing the front-end component of the application.
- Proxy access service 110 may further block an action or generate/modify a response based on control policy 216 stored in proxy server storage 214 .
- a control policy may define which characteristics of network cloud traffic should be managed and what actions need to be taken in managing the network cloud traffic. Some examples of the characteristics include: device identification such as identifying that a request is issued by an unmanaged client device; location information of cloud applications seeking to be accessed; confidentiality classifications of resources associated with a request; and sensitivity levels of content of resources associated with a request.
- actions need to be taken in managing the network cloud traffic include: allowing unrestricted access to a cloud application but monitoring the interaction between users and the cloud application; blocking the download of a resource; and providing further protection to a resource by encrypting content of a resource being uploaded to a cloud application.
- a security administration of an organization may set these control policies.
- FIG. 5 depicts a flowchart 500 a method performed at a client computer for injecting custom code component into a front-end component of an application, creating a web cookie on the client computer, and utilizing the data included in the web cookie at the client computer.
- the method of flowchart 500 begins at step 502 .
- a custom code component is received from the proxy server.
- application front-end component 202 receives a custom code component from proxy access service 110 via response 218 RS after issuing request 218 RQ to proxy access service 110 .
- proxy access service 110 may append code to the web site and provide it to application front-end component 202 via response 218 RS.
- the code may be injected as part of the regular loading of a main web page of an application.
- the custom code component is injected into the front-end component of the application.
- custom code component 204 included in response 218 RS is appended to the web page of application front-end component 202 so that it is executed by web browser 114 .
- such custom code component 204 may be configured to periodically check to determine if a new web cookie has been stored (e.g., web cookie 208 ).
- a request intended for the back-end component of the application is generated.
- application front-end component 202 generates request 218 RQ intended for application back-end component 212 .
- the request is sent to the proxy server.
- application front-end component 202 sends the request to the proxy server 210 .
- proxy access service 110 intercepts request 218 RQ sent from application front-end component 202 to application back-end component 212 .
- a response to the request is received from the proxy server, where the response includes a command to create a cookie that was created by the proxy server.
- application front-end component 202 receives response 218 RS to the request 218 RQ from proxy server 210 , where the response 218 RS includes a command to create a cookie that was created by proxy server 210 .
- the cookie is created on the client computer based on the command.
- web browser 114 in response to receiving 218 RS, creates the cookie on client computer 112 based on the command.
- web browser 114 may execute the command and create web cookie 208 and store web cookie 208 in web browser storage 206 .
- custom code component 204 utilizes data that is included in web cookie 208 .
- Custom code component 204 may detect that web cookie 208 has been newly stored in web browser storage 206 .
- Custom code component 204 may retrieve the data and perform the actions indicated by the data. If the blocked action is an upload of a resource including sensitive business information, the data contained in web cookie 208 may include information to be displayed in web browser 114 , alerting that the upload has been blocked and specifying the reason for it being blocked.
- FIG. 6 depicts an example display 600 of web browser 114 including a web page 602 of a target application (as indicated by the URL in www.targetappliation.com.proxyserver), in accordance with embodiments described herein.
- a user has selected to upload a file, named BusinessInformation, to www.targetapplication.com by selecting the upload button in a prompt 602 .
- custom code component 204 overlays across the display of web page 602 a notification 606 , stating: “Your action has been blocked. Uploads of files assigned the top confidential level are not available for upload to Target Application.”
- the user may click the dismiss button in notification 606 . Clicking the dismiss button triggers web browser 114 to send a request to dismiss notification 606 to proxy access service 110 . After receiving the request, proxy access service 110 returns a response prompting web browser 114 to set web cookie 208 to expired.
- FIG. 7 depicts an example processor-based computer system 700 that may be used to implement various embodiments described herein, such as any of the embodiments described in the Sections above and in reference to FIGS. 1 - 6 .
- processor-based computer system 700 may be used to implement any of the components of systems 100 and 200 as described above in reference to FIGS. 1 and 2 as well as any of the flowcharts described above in reference to FIGS. 3 - 5 .
- the description of system 700 provided herein is provided for purposes of illustration and is not intended to be limiting. Embodiments may be implemented in further types of computer systems, as would be known to persons skilled in the relevant art(s).
- computing device 700 includes one or more processors, referred to as processor circuit 702 , a system memory 704 , and a bus 706 that couples various system components including system memory 704 to processor circuit 702 .
- Processor circuit 702 is an electrical and/or optical circuit implemented in one or more physical hardware electrical circuit device elements and/or integrated circuit devices (semiconductor material chips or dies) as a central processing unit (CPU), a microcontroller, a microprocessor, and/or other physical hardware processor circuit.
- Processor circuit 702 may execute program code stored in a computer readable medium, such as program code of operating system 730 , application programs 732 , other programs 734 , etc.
- Bus 706 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures.
- System memory 704 includes read only memory (ROM) 708 and random access memory (RAM) 710 .
- ROM read only memory
- RAM random access memory
- a basic input/output system 712 (BIOS) is stored in ROM 708 .
- Computing device 700 also has one or more of the following drives: a hard disk drive 714 for reading from and writing to a hard disk, a magnetic disk drive 716 for reading from or writing to a removable magnetic disk 718 , and an optical disk drive 720 for reading from or writing to a removable optical disk 722 such as a CD ROM, DVD ROM, or other optical media.
- Hard disk drive 714 , magnetic disk drive 716 , and optical disk drive 720 are connected to bus 706 by a hard disk drive interface 724 , a magnetic disk drive interface 726 , and an optical drive interface 728 , respectively.
- the drives and their associated computer-readable media provide nonvolatile storage of computer-readable instructions, data structures, program modules and other data for the computer.
- a hard disk, a removable magnetic disk and a removable optical disk are described, other types of hardware-based computer-readable storage media can be used to store data, such as flash memory cards, digital video disks, RAMs, ROMs, and other hardware storage media.
- a number of program modules may be stored on the hard disk, magnetic disk, optical disk, ROM, or RAM. These programs include operating system 730 , one or more application programs 732 , other programs 734 , and program data 736 . Application programs 732 or other programs 734 may include, for example, computer program logic (e.g., computer program code or instructions) for implementing the systems described above, including the embodiments described in reference to FIGS. 1 - 6 .
- computer program logic e.g., computer program code or instructions
- a user may enter commands and information into the computing device 700 through input devices such as keyboard 738 and pointing device 740 .
- Other input devices may include a microphone, joystick, game pad, satellite dish, scanner, a touch screen and/or touch pad, a voice recognition system to receive voice input, a gesture recognition system to receive gesture input, or the like.
- processor circuit 702 may be connected to processor circuit 702 through a serial port interface 742 that is coupled to bus 706 , but may be connected by other interfaces, such as a parallel port, game port, or a universal serial bus (USB).
- USB universal serial bus
- a display screen 744 is also connected to bus 706 via an interface, such as a video adapter 746 .
- Display screen 744 may be external to, or incorporated in computing device 700 .
- Display screen 744 may display information, as well as being a user interface for receiving user commands and/or other information (e.g., by touch, finger gestures, virtual keyboard, etc.).
- computing device 700 may include other peripheral output devices (not shown) such as speakers and printers.
- Computing device 700 is connected to a network 748 (e.g., the Internet) through an adaptor or network interface 750 , a modem 752 , or other means for establishing communications over the network.
- Modem 752 which may be internal or external, may be connected to bus 806 via serial port interface 742 , as shown in FIG. 7 , or may be connected to bus 706 using another interface type, including a parallel interface.
- computer program medium As used herein, the terms “computer program medium,” “computer-readable medium,” and “computer-readable storage medium” are used to generally refer to physical hardware media such as the hard disk associated with hard disk drive 714 , removable magnetic disk 718 , removable optical disk 722 , other physical hardware media such as RAMs, ROMs, flash memory cards, digital video disks, zip disks, MEMs, nanotechnology-based storage devices, and further types of physical/tangible hardware storage media (including system memory 704 of FIG. 7 ). Such computer-readable storage media are distinguished from and non-overlapping with communication media (do not include communication media). Communication media typically embodies computer-readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave.
- modulated data signal means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal.
- communication media includes wireless media such as acoustic, RF, infrared and other wireless media, as well as wired media. Embodiments are also directed to such communication media.
- computer programs and modules may be stored on the hard disk, magnetic disk, optical disk, ROM, RAM, or other hardware storage medium. Such computer programs may also be received via network interface 750 , serial port interface 752 , or any other interface type. Such computer programs, when executed or loaded by an application, enable computing device 700 to implement features of embodiments discussed herein. Accordingly, such computer programs represent controllers of the computing device 700 .
- Embodiments are also directed to computer program products comprising computer code or instructions stored on any computer-readable medium.
- Such computer program products include hard disk drives, optical disk drives, memory device packages, portable memory sticks, memory cards, and other types of physical storage hardware.
- a system includes: a proxy server interconnected between a client computer and an application server, the client computer executing a front-end component of an application and the application server executing a back-end component of the application, the proxy server being configured to: cause a custom code component to be injected into the front-end component of the application; intercept a request sent from the front-end component of the application and intended for the back-end component of the application; and generate a response to the request that includes a command to create a cookie at the client computer, the cookie including data to be utilized by the custom code component.
- the front-end component of the application comprises a web page displayed by a web browser executing on the client computer.
- the proxy server is configured to cause the custom code component to be injected into the front-end component of the application by: appending code to the web page.
- the proxy server is configured to append the code to the web page in response to determining that a main web page of the application is being loaded.
- the request comprises a Hypertext Transfer Protocol (HTTP) request and the response comprises an HTTP response.
- HTTP Hypertext Transfer Protocol
- the proxy server is configured to generate the response by: creating a response; or modifying a response received from the application back-end component.
- the proxy server is further configured to determine that the request comprises an action that should be blocked and to generate the response based on the determination.
- the data to be utilized by the custom code component comprises a message to be displayed by the custom code component that concerns the action that should be blocked.
- the data to be utilized by the custom code component comprises one or more of: information to be displayed by the custom code component; actions to be performed by the custom code component; or instructions to be executed by the custom code component.
- a system comprises: a client computer interconnected to an application server via a proxy server, the client computer executing a front-end component of an application and the application server executing a back-end component of the application, the client computer being configured to: receive a custom code component from the proxy server; and inject the custom code component into the front-end component of the application; the front-end component of the application being configured to: generate a request intended for the back-end component of the application; send the request to the proxy server; receive a response to the request from the proxy server, the response including a command to create a cookie that was created by the proxy server; and create the cookie on the client computer based on the command; and the custom code component being configured to utilize data that is included in the cookie.
- the custom code component is further configured to periodically determine if a new cookie has been received.
- the front-end component of the application comprises a web page displayed by a web browser executing on the client computer.
- the custom code component comprises code that is appended to the web page.
- the request comprises a Hypertext Transfer Protocol (HTTP) request and the response comprises an HTTP response.
- HTTP Hypertext Transfer Protocol
- the custom code component is configured to utilize the data that is included in the cookie by performing one or more of: displaying information included in the cookie; performing actions specified in the cookie; or executing instructions included in the cookie
- a method is performed by a computing device that is interconnected between a client computer that is executing a front-end component of an application and an application server that is executing a back-end component of the application.
- the method comprises: causing a custom code component to be injected into the front-end component of an application; intercepting a request sent from the front-end component of the application and intended for the back-end component of the application; and generating a response to the request that includes a command to create a cookie at the client computer, the cookie including data to be utilized by the custom code component.
- the request comprises a Hypertext Transfer Protocol (HTTP) request and the response comprises an HTTP response.
- HTTP Hypertext Transfer Protocol
- said generating the response to the request further comprises: creating a response; or modifying a response received from the application back-end component.
- the method further comprises determining that the request comprises an action that should be blocked and generating the response based on the determination.
- the data to be consumed by the custom code component comprises a message to be displayed by the custom code component that concerns the action that should be blocked.
Abstract
Description
Claims (20)
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/165,730 US11616847B2 (en) | 2018-10-19 | 2018-10-19 | Leveraging web cookies for carrying messages across cloud application communications |
US18/181,757 US20230216925A1 (en) | 2018-10-19 | 2023-03-10 | Leveraging web cookies for carrying messages across cloud application communications |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US16/165,730 US11616847B2 (en) | 2018-10-19 | 2018-10-19 | Leveraging web cookies for carrying messages across cloud application communications |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/181,757 Continuation US20230216925A1 (en) | 2018-10-19 | 2023-03-10 | Leveraging web cookies for carrying messages across cloud application communications |
Publications (2)
Publication Number | Publication Date |
---|---|
US20200128085A1 US20200128085A1 (en) | 2020-04-23 |
US11616847B2 true US11616847B2 (en) | 2023-03-28 |
Family
ID=70278976
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/165,730 Active 2040-01-05 US11616847B2 (en) | 2018-10-19 | 2018-10-19 | Leveraging web cookies for carrying messages across cloud application communications |
US18/181,757 Pending US20230216925A1 (en) | 2018-10-19 | 2023-03-10 | Leveraging web cookies for carrying messages across cloud application communications |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/181,757 Pending US20230216925A1 (en) | 2018-10-19 | 2023-03-10 | Leveraging web cookies for carrying messages across cloud application communications |
Country Status (1)
Country | Link |
---|---|
US (2) | US11616847B2 (en) |
Families Citing this family (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11343281B2 (en) * | 2019-08-16 | 2022-05-24 | Cisco Technology, Inc. | Enhanced web application security communication protocol |
US11252194B2 (en) * | 2019-07-08 | 2022-02-15 | Cloudflare, Inc. | Method and apparatus of automatic generation of a content security policy for a network resource |
US11356486B2 (en) * | 2019-09-30 | 2022-06-07 | Oracle International Corporation | Dynamic code injection by policy enforcement point |
CN111625860A (en) * | 2020-05-22 | 2020-09-04 | 广东浪潮大数据研究有限公司 | Access control method, device and equipment of application program and storage medium |
US11729168B2 (en) * | 2021-03-23 | 2023-08-15 | Appaegis Inc. | System and method for managing security credentials of a user in a computing environment |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070239528A1 (en) * | 2006-03-29 | 2007-10-11 | Reachlocal, Inc. | Dynamic proxy method and apparatus for an online marketing campaign |
US20120047259A1 (en) * | 2010-08-17 | 2012-02-23 | Mcafee, Inc. | Web hosted security system communication |
US20140351915A1 (en) * | 2010-02-17 | 2014-11-27 | Nokia Coporation | Method and apparatus for providing an authentication context-based session |
US20170163724A1 (en) * | 2015-12-04 | 2017-06-08 | Microsoft Technology Licensing, Llc | State-Aware Load Balancing |
US20170223049A1 (en) * | 2016-01-29 | 2017-08-03 | Zenedge, Inc. | Detecting Human Activity to Mitigate Attacks on a Host |
-
2018
- 2018-10-19 US US16/165,730 patent/US11616847B2/en active Active
-
2023
- 2023-03-10 US US18/181,757 patent/US20230216925A1/en active Pending
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070239528A1 (en) * | 2006-03-29 | 2007-10-11 | Reachlocal, Inc. | Dynamic proxy method and apparatus for an online marketing campaign |
US20140351915A1 (en) * | 2010-02-17 | 2014-11-27 | Nokia Coporation | Method and apparatus for providing an authentication context-based session |
US20120047259A1 (en) * | 2010-08-17 | 2012-02-23 | Mcafee, Inc. | Web hosted security system communication |
US20170163724A1 (en) * | 2015-12-04 | 2017-06-08 | Microsoft Technology Licensing, Llc | State-Aware Load Balancing |
US20170223049A1 (en) * | 2016-01-29 | 2017-08-03 | Zenedge, Inc. | Detecting Human Activity to Mitigate Attacks on a Host |
US10735382B2 (en) * | 2016-01-29 | 2020-08-04 | Zenedge, Inc. | Detecting human activity to mitigate attacks on a host |
Non-Patent Citations (2)
Title |
---|
"Is It Permissible For an Intermediate Proxy to Add Cookies During Proxy Authentication?"—Server Fault, Nov. 15, 2017 https://serverfault.com/questions/883586/is-it-permissible-for-an-intermediate-proxy-to-add-cookies-during-proxy-authenti (Year: 2017). * |
"Routing to proxy and code injection into files served on local network"—Server Fault, Jan. 31, 2013 https://serverfault.com/questions/474244/routing-to-proxy-and-code-injection-into-files-served-on-local-network (Year: 2013). * |
Also Published As
Publication number | Publication date |
---|---|
US20230216925A1 (en) | 2023-07-06 |
US20200128085A1 (en) | 2020-04-23 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11178112B2 (en) | Enforcing security policies on client-side generated content in cloud application communications | |
US20230216925A1 (en) | Leveraging web cookies for carrying messages across cloud application communications | |
US11595392B2 (en) | Gateway enrollment for internet of things device management | |
CN112154639B (en) | Multi-factor authentication without user footprint | |
CN112913208B (en) | Multi-tenant identity cloud service with in-house deployed authentication integration and bridge high availability | |
US10223524B1 (en) | Compromised authentication information clearing house | |
US9729506B2 (en) | Application programming interface wall | |
US9838384B1 (en) | Password-based fraud detection | |
EP3878159A2 (en) | Systems and methods for application pre-launch | |
US10176318B1 (en) | Authentication information update based on fraud detection | |
EP3292475B1 (en) | Secure container platform for resource access and placement on unmanaged and unsecured devices | |
US20220366050A1 (en) | Cyber secure communications system | |
US11831616B2 (en) | Reverse proxy servers for implementing application layer-based and transport layer-based security rules | |
EP4097944B1 (en) | Metadata-based detection and prevention of phishing attacks | |
US10511584B1 (en) | Multi-tenant secure bastion | |
US11310034B2 (en) | Systems and methods for securing offline data | |
US11368487B2 (en) | Applying security policies to web traffic while maintaining privacy | |
US20230412596A1 (en) | Transparently using origin isolation to protect access tokens | |
Bareño-Gutiérrez et al. | Analysis of WEB Browsers of HSTS Security Under the MITM Management Environment | |
US11743256B1 (en) | Security measures for extended sessions using multi-domain data | |
Srinivasan et al. | Cloud computing security |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:KHAIT, VITALY;RAPPAPORT, NIR M.;REEL/FRAME:047238/0096 Effective date: 20181018 |
|
FEPP | Fee payment procedure |
Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: NOTICE OF APPEAL FILED |
|
STCV | Information on status: appeal procedure |
Free format text: APPEAL BRIEF (OR SUPPLEMENTAL BRIEF) ENTERED AND FORWARDED TO EXAMINER |
|
STCV | Information on status: appeal procedure |
Free format text: EXAMINER'S ANSWER TO APPEAL BRIEF MAILED |
|
STCV | Information on status: appeal procedure |
Free format text: ON APPEAL -- AWAITING DECISION BY THE BOARD OF APPEALS |
|
STCV | Information on status: appeal procedure |
Free format text: BOARD OF APPEALS DECISION RENDERED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
CC | Certificate of correction |